That tactic still works, but because computer networks are becoming more resilient, the firepower needed to launch an effective attack is steadily increasing. In response to that development, DDoS warriors are modifying their methods to get more bang for their bytes.

One of those methods is the application DDoS attack.

"An attacker looks for a weak point in an application instead of trying to consume your network resources," Marc Gaffan, founder of
Incapsula, told TechNewsWorld.

App Attack

Over time, network resources have become more robust, Gaffan explained, so saturating them requires larger and larger DDoS attacks, which require more and more resources. Application attacks can consume fewer resources for an attacker but more for a defender.

A search function on a website, for example, might be calibrated to handle 10 searches a second. "If I hit your server with 15 or 20 searches per second, I'm going to bring it to a halt," Gaffan explained.

"I don't have to invest in a lot of bandwidth," he continued. "I don't have to invest in a lot of infrastructure. It's a DDoS attack that's a surgical strike."

Logging pages at banking sites have been popular targets of application DDoS attacks. When you try to log into your bank, a whole set of backend functions are set in motion that consume CPU cycles at the site: Fraud prevention is activated; databases are accessed; authentication routines are run; and geolocations are reviewed. All those processes are performed whether a legitimate user or a fake persona is trying to log into the site.

As an attacker, I would hit "that login page with a bunch of bogus usernames and passwords, knowing each request uses up a lot of resources of the target so I don't have to send as much volume of attack traffic as I would if I were trying to flood the network," Michael Smith, CSIRT director for Akamai Technologies, told TechNewsWorld.

"The big trend over time will be smaller attacks with the impact of larger attacks -- smarter, more nimble, more agile attacks," he said.

Schools Dazed About Security

Captain Renault would probably be as shocked as he was that gambling took place in Casablanca by a survey last week that found many colleges and universities blithely transmit documents containing sensitive personal information and financial data about their students and those students' families in naked emails.

The survey by Halock Security Labs of 162 institutions in the United States -- including schools from the Big Ten, Big Eight and Ivy League -- found half of them allowed sensitive information to be transferred in unencrypted emails and a quarter of them actually encouraged such behavior.

Those findings aren't that surprising. After all, data breaches are so common at universities that TeamShatter, a database security news, research and analysis firm, has an annual Higher Education Data Breach Madness report coinciding with the bracket choices with the NCAA March Madness basketball tournament in the spring.

This year's report found 51 universities suffered data breaches in 2012, resulting in more than 1.9 million records being compromised -- an all-time high, and more than three times the number compromised in 2011.

Are universities that different from any other organization dealing with high-touch customers?

"I just applied for a mortgage, and a lot of what I did was sending tax documents either by fax or through email," Matthew Green, a professor specializing in cryptography in the computer science department of
Johns Hopkins University, told TechNewsWorld.

"I think everybody expects these things will be sent in the clear over email," he added.

Breach Diary

July 26. Walgreens ordered by Marion County, Ind., jury to pay a woman US$1.44 million in damages because one of its pharmacists looked up and shared her prescription history without authorization.

July 29. Halock Security Labs releases survey showing half of U.S. higher education institutions allow sensitive information to be sent to them via email without encryption and 25 percent encourage such transmissions. Use of unprotected email for transmitting financial and personal information puts that information at risk in the event of a data breach, the company said.

July 31. Oregon Health and Science University reveals more than 3,000 patients may have their personal information used for promotional and other purposes because the data was stored in a consumer Google Drive account. Patients admitted to the facility between January 2011 and July 3, 2013, could be affected by the flub.

Aug. 1. District of West Vancouver in Canada warns residents that one of its Web services was breached, compromising personal information, including information on tax and utility bills, bylaw notices, and dog and business license information. No payment card, social insurance numbers or driver's license info was at risk, because the district does not collect and store that kind of data online.